From 75ba087820fddb98415596a5c4aa30787e421d1e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 25 Jun 2020 21:43:43 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/Indexes/index.yaml | 22 +++++++++++++++++++--- atomics/T1482/T1482.md | 37 ++++++++++++++++++++++++++++++++++++- 2 files changed, 55 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 6f864a6c..2ced4ef3 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -35592,6 +35592,10 @@ discovery: This technique has been used by the Trickbot malware family. supported_platforms: - windows + dependencies: + - description: nltest.exe from RSAT must be present on disk + prereq_command: WHERE nltest.exe >NUL 2>&1 + get_prereq_command: echo Sorry RSAT must be installed manually executor: command: 'nltest /domain_trusts @@ -35599,13 +35603,25 @@ discovery: name: command_prompt - name: Powershell enumerate domains and forests auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30 - description: 'Use powershell to enumerate AD information - -' + description: | + Use powershell to enumerate AD information. + Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role. supported_platforms: - windows + dependency_executor_name: powershell + dependencies: + - description: PowerView PowerShell script must exist on disk + prereq_command: if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit + 1} + get_prereq_command: Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" + -OutFile "$env:TEMP\PowerView.ps1" + - description: RSAT PowerShell AD admin cmdlets must be installed + prereq_command: if ((Get-Command "Get-ADDomain") -And (Get-Command "Get-ADGroupMember")) + { exit 0 } else { exit 1 } + get_prereq_command: Write-Host "Sorry RSAT must be installed manually" executor: command: | + Import-Module "$env:TEMP\PowerView.ps1" Get-NetDomainTrust Get-NetForestTrust Get-ADDomain diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index 7258826f..1d045438 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -59,13 +59,26 @@ nltest /domain_trusts +#### Dependencies: Run with `command_prompt`! +##### Description: nltest.exe from RSAT must be present on disk +##### Check Prereq Commands: +```cmd +WHERE nltest.exe >NUL 2>&1 +``` +##### Get Prereq Commands: +```cmd +echo Sorry RSAT must be installed manually +``` + +

## Atomic Test #3 - Powershell enumerate domains and forests -Use powershell to enumerate AD information +Use powershell to enumerate AD information. +Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role. **Supported Platforms:** Windows @@ -77,6 +90,7 @@ Use powershell to enumerate AD information ```powershell +Import-Module "$env:TEMP\PowerView.ps1" Get-NetDomainTrust Get-NetForestTrust Get-ADDomain @@ -86,6 +100,27 @@ Get-ADGroupMember Administrators -Recursive +#### Dependencies: Run with `powershell`! +##### Description: PowerView PowerShell script must exist on disk +##### Check Prereq Commands: +```powershell +if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1" +``` +##### Description: RSAT PowerShell AD admin cmdlets must be installed +##### Check Prereq Commands: +```powershell +if ((Get-Command "Get-ADDomain") -And (Get-Command "Get-ADGroupMember")) { exit 0 } else { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "Sorry RSAT must be installed manually" +``` + +